Use existing securetty

Signed-off-by: Avi Deitcher <avi@deitcher.net>

pkg/getty/README.md

@@ -16,6 +16,12 @@ services:
 The above will launch a getty for each console defined in the cmdline, i.e. `/proc/cmdline`.
 
 
+### securetty
+Every console defined in the `cmdline` **must** also already exist in `/etc/securetty` if you wish to login on that tty as root. If it does not exist, a getty will be started, but you will not be able to login as root. A warning message will be sent to that tty.
+
+If you are using a console that is not in `securetty`, you can add it by overriding the default `securetty` file in the linuxkit root filesystem using `files:` in your moby `.yml` file.
+
+
 ### Login Options
 There are 3 ways to launch a getty on a linuxkit instance:
 

pkg/getty/usr/bin/rungetty.sh

@@ -35,7 +35,8 @@ start_getty() {
 	fi
 
 	if ! grep -q -w "$tty" "$securetty"; then
-		echo "$tty" >> "$securetty"
+		# we could not find the tty in securetty, so start a getty but warn that root login will not work
+		echo "getty: cmdline has console=$tty but does not exist in $securetty; will not be able to log in as root on this tty $tty." > /dev/$tty
 	fi
 	# respawn forever
 	infinite_loop setsid.getty -w /sbin/agetty $loginargs $line $speed $tty $term &
@@ -49,6 +50,13 @@ if [ -f $ROOTSHADOW ]; then
 	echo >> /etc/shadow
 fi
 
+ROOTSTTY=/hostroot/etc/securetty
+if [ -f $ROOTSTTY ]; then
+	cp $ROOTSTTY /etc/securetty
+	# just in case someone forgot a newline
+	echo >> /etc/securetty
+fi
+
 for opt in $(cat /proc/cmdline); do
 	case "$opt" in
 	console=*)